Data Processing Addendum
Last updated: 26 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between BytesBrains Pte Ltd ("BytesBrains", "Processor"), Singapore, and the customer ("Customer", "Controller") using wrokin (the "Service"). It applies where we process personal data contained in your repository content on your behalf.
1. Roles
The Customer is the controller (or "data fiduciary"); BytesBrains is the processor acting on the Customer's documented instructions. The Customer's selected LLM provider and our hosting provider are sub-processors (Section 6).
2. Subject matter & duration
Subject matter: processing repository content to provide the agent Service. Duration: for as long as the App is installed, plus the retention periods in the Privacy Policy.
3. Nature & purpose; data & data subjects
- Nature/purpose: reading repository files, diffs, issues and pull requests; sending relevant context to the Customer's chosen LLM (BYOK); and, where enabled, proposing code changes — to deliver code review, security audit, triage, context-gathering and the Builder.
- Personal data: any personal data the Customer's repositories happen to contain (e.g. names/emails in code, commits, or issues), plus GitHub identifiers.
- Data subjects: the Customer's developers, contributors, and any individuals referenced in the repositories.
4. Processor obligations
- Process personal data only on the Customer's documented instructions (these Terms and use of the Service), unless required by law.
- Ensure persons authorised to process are under confidentiality obligations.
- Implement appropriate technical and organisational measures (Section 5).
- Assist the Customer, taking into account the nature of processing, with data-subject requests and with security, breach-notification, and impact-assessment obligations.
- Notify the Customer without undue delay after becoming aware of a personal-data breach affecting their data.
- Delete or return personal data on termination, subject to legal retention and the cache/retention periods in the Privacy Policy.
- Make available information reasonably necessary to demonstrate compliance and allow for reasonable audits (Section 7).
5. Security measures
BYOK keys encrypted at rest; per-installation tenant isolation (every data access scoped to the installation); keys never logged; transient processing of repository content; access controls and secret management for our infrastructure. We do not claim SOC 2 or end-to-end encryption.
6. Sub-processors
The Customer authorises these sub-processors:
| Sub-processor | Role | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting (Workers, KV, D1, Queues, Pages) | Global edge |
| The LLM provider selected by the Customer — Anthropic, OpenAI, Google, Mistral, DeepSeek, or OpenRouter | Generating agent output from repository context, using the Customer's BYOK key | Varies (often US) |
Under BYOK, the Customer directs the transfer of context to its chosen LLM provider under the Customer's own account with that provider. We will give notice of new or replacement sub-processors and the Customer may object on reasonable data-protection grounds.
7. Audits
On reasonable prior written request and no more than once per year (unless required by a supervisory authority), we will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.
8. International transfers
Where personal data is transferred across borders (including to US-based LLM providers), the parties rely on appropriate safeguards such as the Standard Contractual Clauses or equivalent mechanisms recognised under the GDPR, and on the Customer-directed nature of BYOK transfers.
9. Applicable law
This DPA is intended to satisfy Art. 28 GDPR for EU/UK customers, Singapore's PDPA, and India's DPDP Act, 2023, as applicable, and is governed by the law stated in the Terms (Singapore).
10. Contact
BytesBrains Pte Ltd, Singapore — contact@bytesbrains.com · bytesbrains.com